The security issue is caused due to cURL following HTTP Location:
redirects to e.g. scp:// or file:// URLs which can be exploited
by a malicious HTTP server to overwrite or disclose the content of
arbitrary local files and potentially execute arbitrary commands via
specially crafted redirect URLs.

Using the affected libcurl version to download compressed
content over HTTP, an application can ask libcurl to
automatically uncompress data. When doing so, libcurl
can wrongly send data up to 64K in size to the callback
which thus is much larger than the documented maximum
size.

An application that blindly trusts libcurl's max limit
for a fixed buffer size or similar is then a possible
target for a buffer overflow vulnerability.

The security issue is caused due to cURL following HTTP Location:
redirects to e.g. scp:// or file:// URLs which can be exploited
by a malicious HTTP server to overwrite or disclose the content of
arbitrary local files and potentially execute arbitrary commands via
specially crafted redirect URLs.

Successful exploitation allows remote attackers to
execute arbitrary code under the privileges of the target
user. Exploitation requires that an attacker either coerce
or force a target to connect to a malicious server using
NTLM authentication.

An exploitable stack-based buffer overflow condition
exists when using Kerberos authentication. The problem
specifically exists within the functions
Curl_krb_kauth() and krb4_auth()
defined in lib/krb4.c.

Successful exploitation allows remote attackers to
execute arbitrary code under the privileges of the target
user. Exploitation requires that an attacker either coerce
or force a target to connect to a malicious server using
Kerberos authentication.

Using the affected libcurl version to download compressed
content over HTTP, an application can ask libcurl to
automatically uncompress data. When doing so, libcurl
can wrongly send data up to 64K in size to the callback
which thus is much larger than the documented maximum
size.

An application that blindly trusts libcurl's max limit
for a fixed buffer size or similar is then a possible
target for a buffer overflow vulnerability.

Successful exploitation allows remote attackers to
execute arbitrary code under the privileges of the target
user. Exploitation requires that an attacker either coerce
or force a target to connect to a malicious server using
NTLM authentication.

An exploitable stack-based buffer overflow condition
exists when using Kerberos authentication. The problem
specifically exists within the functions
Curl_krb_kauth() and krb4_auth()
defined in lib/krb4.c.

Successful exploitation allows remote attackers to
execute arbitrary code under the privileges of the target
user. Exploitation requires that an attacker either coerce
or force a target to connect to a malicious server using
Kerberos authentication.